On this page
|
| SUMMARY | |
| Protocol |
: |
Encapsulated Security Payload |
| Protocol suite |
: |
TCP/IP |
| Layer |
: |
Network Layer |
| Related protocols |
: |
IPsec,
AH,
DES,
AES,
IKE,
DOI,
HMAC,
HMAC-MD5,
HMAC-SHA,
PKI,
IP,
IPv6,
ICMP,
IGMP |
| Working groups |
: |
Ipsec, IP Security Protocol |
|
| DESCRIPTION |
The Encapsulating Security Payload (ESP) header is designed to provide a mix of security services in IPv4 and IPv6. ESP may be applied alone, in combination with the IP Authentication Header (AH), or in a nested fashion, e.g., through the use of tunnel mode. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host. For more details on how to use ESP and AH in various network environments, see the Security Architecture document.
The ESP header is inserted after the IP header and before the upper layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode). These modes are described in more detail below.
ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. The set of services provided depends on options selected at the time of Security Association establishment and on the placement of the implementation.
Confidentiality may be selected independent of all other services. However, use of confidentiality without integrity/authentication (either in ESP or separately in AH) may subject traffic to certain forms of active attacks that could undermine the confidentiality service.
Data origin authentication and connectionless integrity are joint services (hereafter referred to jointly as "authentication) and are offered as an option in conjunction with (optional) confidentiality. The anti- replay service may be selected only if data origin authentication is selected, and its election is solely at the discretion of the receiver. Traffic flow confidentiality requires selection of tunnel mode, and is most effective if implemented at a security gateway, where traffic aggregation may be able to mask true source-destination patterns. Note that although both confidentiality and authentication are optional, at least one of them MUST be selected.
Header format
16 | 24 | 32 | Security Parameters Index | Sequence number | Payload data | Padding | Pad length | Next header | Authentication data |
- SPI, Security Parameters Index
32 bits. An arbitrary value that, in combination with the destination IP address and security protocol (ESP), uniquely identifies the SA for this datagram. The set of SPI values in the range 1 through 255 are reserved for future use. A reserved SPI value will not normally be assigned by IANA unless the use of the assigned SPI value is specified in an RFC . It is ordinarily selected by the destination system upon establishment of an SA. This field is mandatory. The value of zero is reserved for local, implementation- specific use and MUST NOT be sent on the wire. For example, a key management implementation MAY use the zero SPI value to mean "No Security Association Exists" during the period when the IPsec implementation has requested that its key management entity establish a new SA, but the SA has not yet been established.
- Sequence number
32 bits, unsigned. This field contains a monotonically increasing counter value. It is mandatory and is always present even if the receiver does not elect to enable the anti-replay service for a specific SA. Processing of this field is at the discretion of the receiver. The sender MUST always transmit this field, but the receiver need not act upon it. The sender's counter and the receiver's counter are initialized to 0 when an SA is established. The first packet sent using a given SA will have a Sequence number of 1. If anti-replay is enabled (the default), the transmitted Sequence number must never be allowed to cycle. Thus, the sender's counter and the receiver's counter MUST be reset (by establishing a new SA and thus a new key) prior to the transmission of the 2^32nd packet on an SA.
- Payload data
Variable length. Contains the data described by the Next header field. This field is mandatory and is an integral number of bytes in length. If the algorithm used to encrypt the payload requires cryptographic synchronization data, e.g., an Initialization Vector (IV), then this data MAY be carried explicitly in the Payload data field. Any encryption algorithm that requires such explicit, per-packet synchronization data MUST indicate the length, any structure for such data, and the location of this data as part of an RFC specifying how the algorithm is used with ESP. If such synchronization data is implicit, the algorithm for deriving the data MUST be part of the RFC .
- Padding
Variable length, 0 to 255 bytes. Padding may be required, irrespective of encryption algorithm requirements, to ensure that the resulting ciphertext terminates on a 4 byte boundary. Specifically, the Pad length and Next header fields must be right aligned within a 4 byte word to ensure that the Authentication data field, if present, is aligned on a 4 byte boundary.
- Pad length
8 bits. The Pad Length field indicates the number of pad bytes immediately preceding it.
- Next header
8 bits. An IPv4/IPv6 protocol number describing the format of the Payload data field.
- Authentication data
Variable length. Contains an ICV computed over the ESP packet minus the Authentication data. The length of the field is specified by the authentication function selected. This field is optional, and is included only if the authentication service has been selected for the SA in question. The authentication algorithm specification MUST specify the length of the ICV and the comparison rules and processing steps for validation.
ESP Header Location
Like AH, ESP may be employed in two ways: transport mode or tunnel mode. The former mode is applicable only to host implementations and provides protection for upper layer protocols, but not the IP header.
In transport mode, ESP is inserted after the IP header and before an upper layer protocol, e.g., TCP, UDP, ICMP, etc. or before any other IPsec headers that have already been inserted. In the context of IPv4, this translates to placing ESP after the IP header (and any options that it contains), but before the upper layer protocol.
- IPv4
Before Applying ESP
| orig IP hdr(any options) | TCP | Data |
After Applying ESP
-------------------------------------------------
|orig IP hdr | ESP | | | ESP | ESP|
|(any options)| Hdr | TCP | Data | Trailer |Auth|
-------------------------------------------------
|<----- encrypted ---->|
|<------ authenticated ----->|
IPv6
Before Applying ESP
| orig IP hdr | ext hdrs if present | TCP | Data |
After Applying ESP
---------------------------------------------------------
| orig |hop-by-hop,dest*,| |dest| | | ESP | ESP|
|IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer|Auth|
---------------------------------------------------------
|<---- encrypted ---->|
|<---- authenticated ---->|
Algorithms
The mandatory-to-implement algorithms are described in Section 5, "Conformance Requirements". Other algorithms MAY be supported. Note that although both confidentiality and authentication are optional, at least one of these services MUST be selected hence both algorithms MUST NOT be simultaneously NULL.
Outbound Packet Processing
In transport mode, the sender encapsulates the upper layer protocol information in the ESP header/trailer, and retains the specified IP header (and any IP extension headers in the IPv6 context). In tunnel mode, the outer and inner IP header/extensions can be inter-related in a variety of ways. The construction of the outer IP header/extensions during the encapsulation process is described in the Security Architecture document. If there is more than one IPsec header/extension required by security policy, the order of the application of the security headers MUST be defined by security policy.
Inbound Packet Processing
- Reassembly
If required, reassembly is performed prior to ESP processing. If a packet offered to ESP for processing appears to be an IP fragment, i.e., the OFFSET field is non-zero or the MORE FRAGMENTS flag is set, the receiver MUST discard the packet; this is an auditable event. The audit log entry for this event SHOULD include the SPI value, date/time received, Source Address, Destination Address, Sequence Number, and (in IPv6) the Flow ID.
- Security Association Lookup
Upon receipt of a (reassembled) packet containing an ESP Header, the receiver determines the appropriate (unidirectional) SA, based on the destination IP address, security protocol (ESP), and the SPI. (This process is described in more detail in the Security Architecture document.) The SA indicates whether the Sequence Number field will be checked, whether the Authentication Data field should be present, and it will specify the algorithms and keys to be employed for decryption and ICV computations (if applicable).
- Sequence Number Verification
All ESP implementations MUST support the anti-replay service, though its use may be enabled or disabled by the receiver on a per-SA basis. This service MUST NOT be enabled unless the authentication service also is enabled for the SA, since otherwise the Sequence Number field has not been integrity protected. (Note that there are no provisions for managing transmitted Sequence Number values among multiple senders directing traffic to a single SA (irrespective of whether the destination address is unicast, broadcast, or multicast). Thus the anti-replay service SHOULD NOT be used in a multi-sender environment that employs a single SA.)
- Integrity Check Value Verification
If authentication has been selected, the receiver computes the ICV over the ESP packet minus the Authentication Data using the specified authentication algorithm and verifies that it is the same as the ICV included in the Authentication Data field of the packet. Details of the computation are provided below.
If the computed and received ICV's match, then the datagram is valid, and it is accepted. If the test fails, then the receiver MUST discard the received IP datagram as invalid; this is an auditable event. The log data SHOULD include the SPI value, date/time received, Source Address, Destination Address, the Sequence Number, and (in IPv6) the cleartext Flow ID.
|
 Top of Page
|
| EXAMPLES |
|
|
Top of Page
|
| PROTOCOL RELATIONS |
■ Parent layer
■ Child layer
IP
| | ESP | |
Top of Page
|
| GLOSSARY |
|
AH
The IP Authentication Header (AH) seeks to provide security by adding authentication information to an IP datagram. This authentication information is calculated using all of the fields in the IP datagram (including not only the IP Header but also other headers and the user data) which do not change in transit. Fields or options which need to change in transit (e.g., hop count, time to live, ident, fragment offset, or routing pointer, such as audio and video. Sources of data can include both live data feeds and stored clips.
Inbound
Any call received by a call centre/customer contact centre.
Outbound
Any outgoing call from the call centre/customer contact centre to a customer.
SA
SA (Security Association) is a group of security settings related to a specific VPN tunnel. A Security Association groups together all the necessary settings needed to create a VPN tunnel. Different SAs may be created to connect branch offices, allow secure remote management, and pass unsupported traffic. All SAs require a specified encryption method, IPSec gateway address and destination network address. IKE includes a shared secret.
|
Top of Page
|
| REFERENCES |
RFCs:
[ RFC 1829] The ESP DES-CBC Transform.
[ RFC 1851] The ESP Triple DES Transform.
[ RFC 2401] Security Architecture for the Internet Protocol.
Obsoletes: RFC 1825.
[ RFC 2403] The Use of HMAC-MD5-96 within ESP and AH.
[ RFC 2404] The Use of HMAC-SHA-1-96 within ESP and AH.
[ RFC 2405] The ESP DES-CBC Cipher Algorithm With Explicit IV.
[ RFC 2406] IP Encapsulating Security Payload (ESP).
Obsoletes: RFC 1827.
[ RFC 2410] The NULL Encryption Algorithm and Its Use With IPsec.
[ RFC 2411] IP Security Document Roadmap.
[ RFC 2451] The ESP CBC-Mode Cipher Algorithms.
[ RFC 2857] The Use of HMAC-RIPEMD-160-96 within ESP and AH.
[ RFC 3095] RObust Header Compression (ROHC): Framework and four profiles: RTP, UDP, ESP, and uncompressed.
[ RFC 3686] Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP).
Obsolete RFCs:
[ RFC 1825] Security Architecture for the Internet Protocol.
Obsoleted by: RFC 2401.
[ RFC 1827] IP Encapsulating Security Payload (ESP).
Obsoleted by: RFC 2406.
|
Top of Page
|
| OTHER PROTOCOLS OF TCP/IP SUITE |
|
|
|
|
|
